On Dec 21, 2016, at 10:41 AM, Ray Bellis <r...@bellis.me.uk> wrote: > RPZ is primarily used to protect end-users from visiting sites > associated with malware, either because the A / AAAA result of a lookup > resolves to a particular address, or because the NS set used to resolve > the query shares resolvers with ones used by malevolent actors. > > Those malevolent actors are just as capable of using DNSSEC.
Yes, but we don’t care. The DNS infrastructure will still block queries to their zones; the difference will be that now the end node can _tell_ that the infrastructure blocked the queries. Of course, some things you can do without DNSSEC you can’t do with DNSSEC. You can’t send the browser to a _different_ web server. This breaks some usage models, and would certainly cause my employer some pain. I think that a transparent way of signaling that a zone has been blocked and signaling why it was blocked is worth doing as well. But independent of that, if RPZ spurs further deployment of DNSSEC, I would consider that a win.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop